Comparing CodeTwo Move & Delete Watchdog vs. Native Exchange Protections

How to Configure CodeTwo Move & Delete Watchdog for Exchange and Office 365Protecting mailboxes from accidental or malicious mass moves and deletions is a critical part of email administration. CodeTwo Move & Delete Watchdog (MDW) helps prevent large-scale mailbox changes by monitoring mailbox operations and pausing or blocking suspicious activity while notifying admins. This guide walks through planning, installation, configuration, and testing for both on-premises Exchange and Microsoft 365 (Office 365) environments.

Overview: what MDW does and why it’s useful

CodeTwo MDW monitors mailbox operations such as moves, deletions, and permission changes. When it detects activity that matches configured thresholds (for example, many items moved from multiple mailboxes in a short window), it can:

Pause/stop the operation to prevent further damage
Alert administrators via email and logs
Provide rollback or recovery guidance by documenting the affected mailboxes and items

This is especially useful to protect against human error (bulk rules, wrong filters) and compromised accounts performing mass mail cleanup or exfiltration.

Planning and prerequisites

System and account requirements

For Exchange on-premises: Exchange Server 2013, 2016, 2019 (and later supported versions) — check CodeTwo documentation for exact supported builds.
For Microsoft 365: a tenant with administrator privileges and appropriate API access (Exchange Online).
A Windows server (or VM) to install the MDW service/console; ensure antivirus exclusions and firewall rules permit required traffic.
Service account with necessary permissions:
- For Exchange on-premises: an account with Organization Management or equivalent rights to monitor mailbox operations and query mailbox data.
- For Exchange Online: a global admin or a least-privilege account granted the required Exchange Online roles and application permissions per CodeTwo guidance.
PowerShell remoting and modern authentication enabled where required for Office 365.

Design decisions

Decide on these before installing:

Scope: monitor all mailboxes or a subset (high-value users, shared mailboxes).
Thresholds: number of items/mails moved or deleted in a sliding time window that should trigger action. Common starting point: 10–50 items within 5–15 minutes for sensitive mailboxes; adjust by observing baseline activity.
Actions: block automatically, pause and require manual approval, or only alert.
Notification channels: email to security team, integration with SIEM or ticketing via webhook if supported.

Installation

1) Download and prepare

Download the latest CodeTwo Move & Delete Watchdog installer from CodeTwo’s site.
Ensure the server where you’ll install has the latest Windows updates and .NET prerequisites specified by CodeTwo.

2) Run the installer

Launch the installer as an administrator.
Choose typical installation for a single-server setup or custom for advanced topologies.
During installation you’ll create/configure the service account and specify connectivity settings for Exchange or Exchange Online.

3) Configure connectivity

For Exchange on-premises: provide the Exchange server address and credentials for the service account. Ensure the account has the required roles.
For Exchange Online: follow prompts to authenticate the service account. You may be asked to grant delegated or application permissions. Use modern authentication (OAuth) where supported and consent as admin when prompted.

Initial configuration

Licensing

Apply your license key in the MDW console after installation. Confirm license validity and monitored mailbox counts.

Define monitored scope

In the MDW management console, create monitoring rules or groups:
- Add mailboxes or mailbox filters (by OU, group membership, or naming pattern).
- For Office 365, you can add by user principal name (UPN), security group, or dynamic group criteria.

Set thresholds and time windows

Create thresholds for actions. Example configuration:
- Low severity: 10 items moved/deleted within 10 minutes → send alert only.
- Medium severity: 25 items within 10 minutes → pause operation and send alert.
- High severity: 100 items within 10 minutes → block and isolate account (if supported).
Start conservative (alerts only) for 1–2 weeks to observe normal behavior, then tighten rules.

Choose actions

MDW supports actions such as:
- Blocking the operation immediately.
- Pausing the operation and queuing for admin review.
- Logging and alerting only.
For critical mailboxes, prefer pause/block. For broad monitoring, start with alert-only.

Notifications and escalation

Configure notification recipients, templates, and escalation rules.
Integrate with SMTP or an internal notification system; include mailbox details, count, timestamps, and links to logs or reports.

Advanced configuration

Exclusions and exceptions

Exclude trusted service accounts (backup solutions, migration tools) to avoid false positives. Use allowlists for known automation accounts and migration windows.

Role-based access control (RBAC)

Define which admins can change thresholds, approve paused operations, or view sensitive logs. Use least privilege.

Integration with SIEM and automation

Configure MDW to send alerts/logs to SIEM via syslog, webhook, or API (if supported). Automate incident creation in ticketing systems for high-severity events.

Scheduling and maintenance windows

Add maintenance windows where bulk actions (migrations, cleanups) are allowed without triggering alerts. Schedule exceptions for migration team accounts.

Testing and tuning

Test scenarios

Simulated bulk delete: from a test mailbox, delete X items within defined time window to verify detection and chosen action.
Simulated migration: run a controlled mailbox move under maintenance window to confirm allowlist and no false alarms.
Compromised-account simulation: script a high-frequency delete/move from a non-whitelisted account to verify block and notification.

Tuning tips

Monitor false positives for 1–2 weeks, then adjust thresholds.
Use different thresholds per mailbox class (executives vs. regular users).
Keep an audit trail of changes to MDW rules to understand configuration drift.

Recovery and incident response

Immediate steps after detection

Follow internal incident response: isolate the account, disable compromised credentials, force password reset or MFA enforcement.
Use Exchange/Office 365 retention and eDiscovery tools to recover deleted items (Recoverable Items folder, Litigation Hold, or backups). MDW logs provide a list of affected mailboxes and timestamps, speeding recovery.

Post-incident review

Analyze how the event occurred: misconfigured rules, compromised credentials, or malicious insider.
Adjust MDW thresholds, expand allowlists for legitimate automation, and update documentation and runbooks.

Troubleshooting common issues

False positives during migrations: add migration service accounts to allowlist and configure maintenance windows.
Alerts not received: verify SMTP settings and spam filtering; check notification recipient addresses.
Service cannot connect to Exchange Online: re-authenticate service account, ensure granted permissions and that conditional access policies don’t block the service.
High baseline activity: raise thresholds or use adaptive thresholds per mailbox class.

Example configuration (concise)

Monitored scope: all user mailboxes except backup and migration accounts.
Thresholds:
- Alert: 15 items / 10 min
- Pause: 40 items / 10 min
- Block: 150 items / 10 min
Notifications: [email protected] + ticketing webhook for Pause/Block
Maintenance windows: Saturdays 02:00–06:00 UTC for migrations

Final notes

Start in monitoring/alert mode to learn your environment, then progressively enable pause/block actions for high-value mailboxes. Combine MDW with good identity protection (MFA, conditional access) and mailbox retention policies to minimize risk and speed recovery when incidents occur.